Monday, November 02, 2009

Watcher: Spotting dubious webishness

November's toolsmith features Watcher, a great passive security auditor from Chris Weber of Casaba Security, that detects web application security issues as well as operational configuration concerns. Watcher plugs neatly into Fiddler, an indispensable proxy that should be an inherent part of your web application assessment tool kit.The toolsmitharticle covers using Watcher to detect "dubious" comments, unset HTTPOnly flags, open redirects, and bad cross domain flash policy, so I won't repeat myself here.Watcher is also excellent for detecting likely XSS vulnerabilities, and will passively detect prospective parameters while you browse. As an example, a visit to a site that shall remain anonymous only to those without fundamental Google skills results in Figure 1, seen by Watcher as it passively reviews a site with 37 different checks.

Figure 1

Note that Watcher spots what it declares is a potentially high severity user controllable HTML element attribute. Watcher further indicates that the fourth input tag value attribute is specific to the keyword variable. A quick "active" test by the author quickly validates Watcher's assumptions as seen in Figure 2.

Figure 2

Passive security auditing indeed; no effort required! Results are easily exported as well. Browse a client site while enjoying a good sandwich and coffee, dump the results, and build your work list as a preliminary recon step for your next penetration testing engagement. Enjoy this excellent tool; use it in good stead.Cheers.

Subscribe To HolisticInfoSec

About Me

Russ McRee works for Microsoft's Online Services Security & Compliance team. He writes toolsmith, a monthly column in ISSA Journal. Russ has spoken infosec events such Defcon, Black Hat, RSA,and FIRST and has published in the likes of Information Security, Linux Magazine, (IN)SECURE, and SysAdmin. As an advocate of a holistic approach to information security, Russ' website is holisticinfosec.org.
He also serves as a volunteer handler for the SANS Internet Storm Center.